cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

Best Practices for Environments-Security Groups-Teams-User

Hi Community, 

 

I am not sure if this is the right place, but I havent found any "admin" section in the Power Platform Subforums. 

I am currently looking at the creation of environments and I found that there are multiple way to set things and accesses as there are the environments themselves, security group, teams, users and roles.

 

I also tried online research but I haven't found any good description or advice on how to make the best use of them. 

This is what I made up so far:

 

Security Groups as a pre-filtering. If there is already a Teams team/Sharepoint team or whatever, you can make use of that to prefilter. However, I do not know if its reasonable to create a security group for each environment (and so for each solution because of DLP reasons). 

 

Teams. I would go for a "Developer"-Team to assign developers to it and the related role to it. This should ease that I do not have to assign roles to each of the developers separately. 

 

However, I think that there might be better approaches based on experience towards this.

 

Maybe you can give me some advice/experience in this context? 
Thanks a lot in advance.

3 REPLIES 3
Velegandla
Solution Sage
Solution Sage

@BennyS27 :

 

If you donot have any env strategy. The first step is to define how you want to structure your environments.

 

Is the environments used by business users to develop apps or pro devs.

 

Once you define then you can have separate approach for each category.

 

For business users, you can have DEV and Prod environments. where as Pro Devs - You need to have DEV/TEST/UAT and PROD environments. 

 

It seems in your case you got developers who are building solutions. So start with Azure AD group for Developers and associate the AD group to a TEAM in DEV environment. In this case only your developer team will develop the solutions. 

 

According to who needs access for TEST/UAT/PROD - you can create separate AD groups and manage the users for each scenario.

 

sometimes, less is better.

 

Also, keep an eye on new changes coming to environments such as grouping, leveraging managed environments etc which could help further in managing and securing the environments.

 

Hope this gives a starting point. 

====================================================

If this response helped you in any way, please give kudos by clicking the 'Thumbs Up'/'Like' button and/or marking it as an 'Accepted Solution'. This helps others by providing a quick way to identify likely solutions to their issues.

https://www.linkedin.com/in/devendravelegandla/

 

 

 

Hi @Velegandla ,

 

thank you for your fast response.

 

We have indeed an environment strategy so far. We are creating a set of environments for every "professionally" built solution including Dev-Test-Prod. All processes to get there and forth are set and properly implemented. User management is currently done manually, which is why I wanted to understand all capabilities and possibilities within the admin center to have a better overview.

 

I get the point of the AD Group - however, in our case, this would mean that we have to create a lot of AD groups which can mess up the AD system itself because of various reasons. Having too many AD groups is definitely not a good way to resilience.

This is why I wanted to understand the "Teams" and "Users" a little bit better - maybe there is something of interest for us and best practices here would be superb.

 

So far, I could imagine that the security Group is used for prefiltering if there is no fitting group - if there is a fitting group already then use it as final filtering.

For separating between admins and developers, use the teams to create two teams. I guess apps have to be shared anyway separately?

 

And so on, but I am not sure if this is a good approach. 

 


I get the point of the AD Group - however, in our case, this would mean that we have to create a lot of AD groups which can mess up the AD system itself because of various reasons. Having too many AD groups is definitely not a good way to resilience.

This is why I wanted to understand the "Teams" and "Users" a little bit better - maybe there is something of interest for us and best practices here would be superb.

 

So far, I could imagine that the security Group is used for prefiltering if there is no fitting group - if there is a fitting group already then use it as final filtering.

For separating between admins and developers, use the teams to create two teams. I guess apps have to be shared anyway separately?

 

And so on, but I am not sure if this is a good approach. 

 


In your environment strategy, i would ask if these questions answered if not answered before.

 

  • Who will create the environments and manage it? 
  • Does the user access control need to be part of env admins or IT department managing AD groups? 
  • What is the risk if env admins add more people or grant access without IT control?
  • How many AD groups are too many? 
  • How many environments are too many?
  • Is every professionally build project got different developers or the same?
  • Each application business impact and criticality is being answered before creation of environment?

Once you answer those questions, then i would decide AD groups or Teams.

 

You can use teams in Dataverse and add users which means the systems admins of env got the control. Do you have a process to train the system admins? If not what is the risk?

 

If you like to manage the access then Teams are great way to manage. If you would like to manage from central then AD groups.

 

In a nutshell.

If the application is Low critical and business impact is less then i might go with Teams for managing access and will train the admins to monitor it. 

 

If the application is High critical and major impact on business, i prefer central managed access system. 

 

Every organization is different and there is no one way to do as long as expectations of benefits and risks are understood and communicated with all the relevant stakeholders.

 

For Sharing the apps you can use the AD groups as well. Yes, once the apps are developed you need to share them explicitly. 

====================================================

If this response helped you in any way, please give kudos by clicking the 'Thumbs Up'/'Like' button and/or marking it as an 'Accepted Solution'. This helps others by providing a quick way to identify likely solutions to their issues.

https://www.linkedin.com/in/devendravelegandla/ 

Helpful resources

Announcements

Community will be READ ONLY July 16th, 5p PDT -July 22nd

Dear Community Members,   We'd like to let you know of an upcoming change to the community platform: starting July 16th, the platform will transition to a READ ONLY mode until July 22nd.   During this period, members will not be able to Kudo, Comment, or Reply to any posts.   On July 22nd, please be on the lookout for a message sent to the email address registered on your community profile. This email is crucial as it will contain your unique code and link to register for the new platform encompassing all of the communities.   What to Expect in the New Community: A more unified experience where all products, including Power Apps, Power Automate, Copilot Studio, and Power Pages, will be accessible from one community.Community Blogs that you can syndicate and link to for automatic updates. We appreciate your understanding and cooperation during this transition. Stay tuned for the exciting new features and a seamless community experience ahead!

Summer of Solutions | Week 4 Results | Winners will be posted on July 24th

We are excited to announce the Summer of Solutions Challenge!   This challenge is kicking off on Monday, June 17th and will run for (4) weeks.  The challenge is open to all Power Platform (Power Apps, Power Automate, Copilot Studio & Power Pages) community members. We invite you to participate in a quest to provide solutions in the Forums to as many questions as you can. Answers can be provided in all the communities.    Entry Period: This Challenge will consist of four weekly Entry Periods as follows (each an “Entry Period”)   - 12:00 a.m. PT on June 17, 2024 – 11:59 p.m. PT on June 23, 2024 - 12:00 a.m. PT on June 24, 2024 – 11:59 p.m. PT on June 30, 2024 - 12:00 a.m. PT on July 1, 2024 – 11:59 p.m. PT on July 7, 2024 - 12:00 a.m. PT on July 8, 2024 – 11:59 p.m. PT on July 14, 2024   Entries will be eligible for the Entry Period in which they are received and will not carryover to subsequent weekly entry periods.  You must enter into each weekly Entry Period separately.   How to Enter: We invite you to participate in a quest to provide "Accepted Solutions" to as many questions as you can. Answers can be provided in all the communities. Users must provide a solution which can be an “Accepted Solution” in the Forums in all of the communities and there are no limits to the number of “Accepted Solutions” that a member can provide for entries in this challenge, but each entry must be substantially unique and different.    Winner Selection and Prizes: At the end of each week, we will list the top ten (10) Community users which will consist of: 5 Community Members & 5 Super Users and they will advance to the final drawing. We will post each week in the News & Announcements the top 10 Solution providers.  At the end of the challenge, we will add all of the top 10 weekly names and enter them into a random drawing.  Then we will randomly select ten (10) winners (5 Community Members & 5 Super Users) from among all eligible entrants received across all weekly Entry Periods to receive the prize listed below. If a winner declines, we will draw again at random for the next winner.  A user will only be able to win once overall. If they are drawn multiple times, another user will be drawn at random.  Individuals will be contacted before the announcement with the opportunity to claim or deny the prize.  Once all of the winners have been notified, we will post in the News & Announcements of each community with the list of winners.   Each winner will receive one (1) Pass to the Power Platform Conference in Las Vegas, Sep. 18-20, 2024 ($1800 value). NOTE: Prize is for conference attendance only and any other costs such as airfare, lodging, transportation, and food are the sole responsibility of the winner. Tickets are not transferable to any other party or to next year’s event.   ** PLEASE SEE THE ATTACHED RULES for this CHALLENGE**   Week 1 Results: Congratulations to the Week 1 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Community MembersNumber of SolutionsSuper UsersNumber of Solutions @anandm08  23 @WarrenBelz  31 @DBO_DV  10 @Amik  19 AmínAA 6 @mmbr1606  12 @rzuber  4 @happyume  7 @Giraldoj  3@ANB 6 (tie)   @SpongYe  6 (tie)     Week 2 Results: Congratulations to the Week 2 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge. Community MembersSolutionsSuper UsersSolutions @anandm08  10@WarrenBelz 25 @DBO_DV  6@mmbr1606 14 @AmínAA 4 @Amik  12 @royg  3 @ANB  10 @AllanDeCastro  2 @SunilPashikanti  5 @Michaelfp  2 @FLMike  5 @eduardo_izzo  2   Meekou 2   @rzuber  2   @Velegandla  2     @PowerPlatform-P  2   @Micaiah  2     Week 3 Results: Congratulations to the Week 3 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Week 3:Community MembersSolutionsSuper UsersSolutionsPower Apps anandm0861WarrenBelz86DBO_DV25Amik66Michaelfp13mmbr160647Giraldoj13FLMike31AmínAA13SpongYe27     Week 4 Results: Congratulations to the Week 4 qualifiers, you are being entered in the random drawing that will take place at the end of the challenge.   Week 4:Community MembersSolutionsSuper UsersSolutionsPower Apps DBO-DV21WarranBelz26Giraldoj7mmbr160618Muzammmil_0695067Amik14samfawzi_acml6FLMike12tzuber6ANB8   SunilPashikanti8

Check Out | 2024 Release Wave 2 Plans for Microsoft Dynamics 365 and Microsoft Power Platform

On July 16, 2024, we published the 2024 release wave 2 plans for Microsoft Dynamics 365 and Microsoft Power Platform. These plans are a compilation of the new capabilities planned to be released between October 2024 to March 2025. This release introduces a wealth of new features designed to enhance customer understanding and improve overall user experience, showcasing our dedication to driving digital transformation for our customers and partners.    The upcoming wave is centered around utilizing advanced AI and Microsoft Copilot technologies to enhance user productivity and streamline operations across diverse business applications. These enhancements include intelligent automation, AI-powered insights, and immersive user experiences that are designed to break down barriers between data, insights, and individuals. Watch a summary of the release highlights.    Discover the latest features that empower organizations to operate more efficiently and adaptively. From AI-driven sales insights and customer service enhancements to predictive analytics in supply chain management and autonomous financial processes, the new capabilities enable businesses to proactively address challenges and capitalize on opportunities.    

Updates to Transitions in the Power Platform Communities

We're embarking on a journey to enhance your experience by transitioning to a new community platform. Our team has been diligently working to create a fresh community site, leveraging the very Dynamics 365 and Power Platform tools our community advocates for.  We started this journey with transitioning Copilot Studio forums and blogs in June. The move marks the beginning of a new chapter, and we're eager for you to be a part of it. The rest of the Power Platform product sites will be moving over this summer.   Stay tuned for more updates as we get closer to the launch. We can't wait to welcome you to our new community space, designed with you in mind. Let's connect, learn, and grow together.   Here's to new beginnings and endless possibilities!   If you have any questions, observations or concerns throughout this process please go to https://aka.ms/PPCommSupport.   To stay up to date on the latest details of this migration and other important Community updates subscribe to our News and Announcements forums: Copilot Studio, Power Apps, Power Automate, Power Pages